DEV540: Secure DevOps and Cloud Application Security Beta

This course covers how developers and security professionals can build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how principles, practices, and tools in DevOps and AWS can be leveraged to improve the reliability, integrity, and security of applications.

The first two days of the course cover how Secure DevOps can be implemented using lessons from successful DevOps security programs. Students build a secure DevOps CI/CD toolchain and understand how code is automatically built, tested, and deployed using popular open source tools such as git, Puppet, Jenkins, and Docker. In a series of labs you learn to inject security into your CI/CD toolchain using various security tools, patterns, and techniques.

The final three days of the course cover how developers and security professionals can utilize AWS services to build secure software in the cloud. Students leverage the CI/CD toolchain to push application code directly to the cloud instead of to local servers on their class virtual machines. Students analyze and fix applications hosted in the cloud using AWS services and features such as API Gateway, IAM, signed cookies, Security Token Service, autoscaling, KMS, encryption, WAF, and Lambda for Serverless computing.

This course also makes extensive use of Amazon Web Services (AWS) and associated developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services so students can experience how these services can be utilized in their applications.

This course will prepare you to:

Understand the core principles and patterns behind DevOps.

Recognize how work is done in DevOps, and identify keys to success in DevOps

Map out and implement a Continuous Delivery/Deployment pipeline

Create a Value Stream Map of the processes and workflows in making code or configuration changes - from check-in to deployment and operations.

Please note that course material for DEV540 and DEV534 overlaps. Days 1 and 2 of DEV540 contains material that is covered in DEV534. We recommend DEV540 for those interested in DevOps and cloud application security with Amazon Web Services (AWS). DEV534 only covers Secure DevOps topics.

Course Syllabus

DEV540.1: Introduction to Secure DevOps

Overview

An introduction to DevOps practices, principles and tooling. How DevOps works, and how work is done in DevOps. The importance of culture, collaboration, and automation in DevOps.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who have created the DNA for DevOps - you understand how and why they succeeded. This includes the keys to their DevOps security programs.

Then you learn Continuous Delivery - the automation engine in DevOps - and how to build up a Continuous Delivery or Continuous Deployment pipeline. This includes how security controls can be folded into or wired into the CD pipeline, and how to automate security checks and tests in CD.

Exercises

Understanding CI/CD pipelines

Deployment Kata

Automating static analysis in CI

Automating dynamic analysis in CI/CD

CPE/CMU Credits: 6

Topics

Introduction to DevOps

Case studies on DevOps Unicorns

DevOps Principles

Working in DevOps

From Continuous Integration to Continuous Delivery

Building a CD Pipeline

Deployment Kata

Secure Continuous Delivery: Challenges and Issues

Introducing Security into CD

Static Analysis in CD

Pen Testing and Manual Assessments - how do they fit in DevOps?

Vulnerability Management in CD

Securing your Software Supply Chain

Automated security testing and scanning in CI/CD

DEV540.2: Moving to Production

Overview

Building on the ideas and frameworks developed in Section 1, you learn how secure Infrastructure as Code, using modern automated configuration management tools like Puppet, Chef and Ansible, allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated CD pipeline is so critically important to DevOps, you also learn how to secure the pipeline, including RASP and other run-time defense technologies. This includes containerization and security issues when using containers like Docker.

Next you learn how to protect the secrets that utilized by the automated tools used for CI/CD.

Finally, you learn how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.

DEV540.3: Moving to the Cloud

Overview

Utilizing DevOps principles you learn how to move your CI/CD toolchain into the cloud. This section provides an overview of Amazon Web Services (AWS) and introduces the foundational tools and practices needed to securely deploy your applications in the cloud.

Exercises

AWS configuration and setup

AWS CLI automation

Securing VPC with CloudFormation

Infrastructure automation

CodeCommit, CodeBuild, and CodePipeline

Cloud container Orchestration with ECR and ECS

CPE/CMU Credits: 6

Topics

Introduction to the cloud

Overview of cloud definitions

IaaS, PaaS, SaaS

Key cloud computing characteristics

Cloud deployment models

Cloud computing adoption

Cloud provider comparison

Introduction to Amazon Web Services (AWS)

AWS services

Application architecture

AWS CLI

Cloud infrastructure as code

EC2 introduction

Virtual Private Cloud networks

CloudFormation

Cloud CI/CD

CodeCommit

CodeBuild

CodePipeline

Securing CI/CD

Cloud container orchestration

Orchestration comparison

AWS ECS, Google Container Service, Azure Containers

Automating deployment

DEV540.4: Cloud Application Security (1)

Overview

Leverage cloud application security services to ensure that applications have appropriate authentication and access control functionality while maintaining availability even while patching critical security defects.

Additional Information

Laptop Required

!!! IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS !!!

!!! IMPORTANT - STUDENTS MUST CREATE A NEW AWS FREE-TIER ACCOUNT TO COMPLETE THE CLOUD EXERCISES !!!

!!! IT CAN TAKE MORE THAN 24 HOURS FOR A NEW AWS FREE-TIER ACCOUNT TO BECOME ACTIVE !!!

!!! YOU MUST CREATE AN ACCOUNT WHEN YOU REGISTER TO ENSURE THAT IT IS ACTIVE IN TIME FOR CLASS !!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 10, VMware Fusion 7.0, or VMware Workstation Player 7.0. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Mandatory Laptop Requirements

Mandatory Host Hardware Requirements

CPU: 64-bit 2.5+ GHz multi-core processor or higher

Memory: 16GB of RAM minimum

Hard Disk: 50GB of free disk space minimum

Working USB 2.0 or higher port

The student must have the capability to have Local Administrator Access within their host operating system

Verify the BIOS settings have virtualization enabled

Mandatory Host Operating System Requirements

You must bring a 64-bit laptop with one of the following operating systems. These operating systems have been verified to be compatible with course VMware image:

Windows (7, 8, or 10)

Mac OS X (Yosemite, El Capitan, Sierra)

Mandatory Software Requirements

Please ensure the following software is installed on the host operating system prior to class:

This course teaches students about DevOps and application security in a cloud environment. The exercises are done online in the AWS cloud. To complete these exercises, students must register a NEW AWS free-tier account prior to the start of the class:

What You Will Receive

Hands-on Training

This class reinforces knowledge transfer by having many hands-on labs. This goes well beyond the traditional lecture and delves into literal application of techniques.

The class Workbook provides a step by step guide to learning and applying hands on techniques but also provides a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows students of varying backgrounds to pick a difficulty and always have a frustration free fallback path.

Author Statement

DevOps and cloud are radically changing the way that organizations design, build, deploy and operate online systems. Leaders like Amazon, Etsy and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning and continuously improving and continuously growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet "Unicorns" and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams who have broken down "the walls of confusion" in their organizations are increasingly leveraging new kinds of automation: Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers and cloud service platforms. The question is, can security take advantage of the tools and automation to better secure its systems?

Security must be reinvented in a DevOps and cloud world.

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.